CVE Catalog

CVE-2026-42457

Critical
Published: Translated: NVD NIST

Summary

vCluster Platform prior to versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0 has a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context.

Risk Assessment

An attacker with the ability to create namespaces could potentially create a new Global-Admin user, bypassing other security restrictions, which poses a serious threat to the organization.

Recommendation

It is recommended to upgrade to versions 4.4.3, 4.5.5, 4.6.2, 4.7.1, or 4.8.0 to mitigate this vulnerability.

Original NVD description (English source)

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst case, a malicious user could potentially create a new Global-Admin user, bypassing other security restrictions. The attacker needs the ability to create namespaces. This vulnerability is fixed in 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS